Allow .exe through squid proxy

mrsquash2 · Oct 5, 2012, 4:38 PM

Hello everyone!

I have an exe that initializes an activex application. In order to work properly the exe needs to be able to access the internet without being blocked by the proxy. However, within squid I don't see anywhere that I would go to allow this functionality.

Does anyone have any tips on how to accomplish this?

Thanks

marcelloc · Oct 5, 2012, 6:09 PM

if it's on a single machine, just allow it's ip.

Are you using transparent proxy?

mrsquash2 · Oct 5, 2012, 6:34 PM

Yes, I am using transparent proxy.

The .exe file is on about 60 machines so I would like to let the .exe pass through the proxy for all systems on my domain.

marcelloc · Oct 5, 2012, 6:52 PM

if your change your .exe file to fetch it via https, it will not be filtered by squid.

mrsquash2 · Oct 5, 2012, 6:55 PM

Unfortunately, the .exe is part of a distributed package from a 3rd party vendor. Therefore I cannot alter their software.

Nachtfalke · Oct 5, 2012, 7:00 PM

you can bypass the proxy for a destination IP.
So if your exe is connecting to always the same IP (range) then add this to the bypass list on squid GUI.

mrsquash2 · Oct 5, 2012, 7:33 PM

Isn't the bypass list something that allows an internal client to bypass the proxy all together?

The only thing I have found so far to test is:

edit the squid.inc file

$rules .= "\n# Setup Squid proxy redirect\n";
if ($squid_conf['private_subnet_proxy_off'] == 'on') {
foreach ($ifaces as $iface) {
$rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 166.73.20.226/32, 166.73.20.167/32, 166.73.20.43/32, 66.238.16.200/32 } port 80\n";

marcelloc · Oct 5, 2012, 8:10 PM

this rule says to do not forward traffic to squid for these ips

Nachtfalke · Oct 6, 2012, 10:55 AM

@mrsquash2:

Isn't the bypass list something that allows an internal client to bypass the proxy all together?
(…)

It depends on what you allow to bypass. You can bypass the proxy by SOURCE IP or you can bypass the proxy by DESTINATION IP.

If you allow by SOURCE IP you are right, the host will bypass the proxy at all.
That's why I said you should use DESTINATION IP. Then the proxy will only be bypassed for this dest. IP but all other IPs must pass the proxy.

mrsquash2 · Oct 8, 2012, 12:47 PM

When I go to Services > Proxy Server I have the option "Bypass proxy for these source IPs" with a description of "Do not forward traffic from these source IPs through the proxy server but directly through the firewall. Separate by semi-colons (;)."

Are you saying that I can put DESTINATION IPs in here as well?

marcelloc · Oct 8, 2012, 1:05 PM

@mrsquash2:

Are you saying that I can put DESTINATION IPs in here as well?

Isn't the next field ..Bypass proxy for these destination IPs ?
Do not proxy traffic going to these destination IPs, CIDR nets, hostnames, or aliases, but let it pass directly through the firewall. Separate by semi-colons (;). [Applies only to transparent mode]

mrsquash2 · Oct 8, 2012, 1:15 PM

I don't have that option.

I'm using:

Squid v2.7.8_1
SquidGuard v1.3-2
Lightsquid v1.7.1 pkg v.1.2

Do I need to upgrade to a newer version?

marcelloc · Oct 8, 2012, 1:40 PM

@mrsquash2:

Do I need to upgrade to a newer version?

It's on both squid versions (2.7.9 pkg v.4.3.1 and 3.1.20 pkg 2.0.5_5) on first package gui tab for a long time.

mrsquash2 · Oct 8, 2012, 2:37 PM

Upgraded to 2.7.9 pkg v.4.3.1 and added the IP DESTINATION bypass.

All seems to be working now.

Thanks!